Employee Monitoring App Leaks 21 Million Screenshots In Real Time (cybernews.com) 15
An anonymous reader quotes a report from Cybernews: Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies. The app, designed to track productivity by logging activity and snapping regular screenshots of employees' screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame. The leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide. After the company was contacted, access to the unsecured database was secured. An official comment has yet to be received.
Snooping Turtles All The Way Down Principle (Score:5, Insightful)
Any tool that helps managers or law enforcement snoop will eventually be breached by hackers, who then also snoop.
Re: Snooping Turtles All The Way Down Principle (Score:3)
Also... wouldn't simply monitoring their output goals be the right way to do this? It's info a business needs anyway and doesn't require external access from 3rd parties.
Actual metrics or progress are hard to get ... (Score:3, Informative)
Also... wouldn't simply monitoring their output goals be the right way to do this? It's info a business needs anyway and doesn't require external access from 3rd parties.
I expect it's motivated by remote work. Judging progress towards a goal would require a manager who is well qualified to judge the amount of work necessary for a task, to be in frequent communication with an employee to know of any unexpected problems delaying completion, perhaps helping to address those problems, etc. In other words, it would require management to be doing a lot of work keeping informed and up to date and being useful. An app that tells them how many hours a day someone is moving a mouse o
Even potentially password too... (Score:2)
Even potentially password too since more and more browsers, web sites and apps have had a brilliant idea and now display a button to make the password visible on the login page.
Re: Even potentially password too... (Score:2)
Not showing passwords won't help you when the snooping app also logs the keys you press.
And yet no remorse for installing it... (Score:5, Insightful)
And yet the execs who ordered the installation of this literal spyware will still keep insisting that it was the right thing to do even after this breach. Heck, even if the breach had compromised their root passwords and gotten their servers taken down for a week, they would still believe that spying on their employees was the right thing to do.
Why? Because the sorts of bosses who install employee monitoring software are, for the most part, the sorts of people who think that preventing even one person from freeloading off the company is more important than ensuring that people are able to do their jobs and make money for the company. These are the same sorts of people who want to make it harder for living elderly people to collect their Social Security checks, despite incredibly low levels of fraud, because incredibly low is not zero. These are the same sorts of people who want to make it harder to vote, despite incredibly low levels of fraud, because incredibly low is not zero.
This way of thinking is a disease that rots companies and countries from the inside out.
There are exceptions, of course — the sorts of companies that frequently experience state actors trying to exfiltrate data and source code, for example — but I can likely list all of the companies that this exception applies to, and can count them on one hand as long as I use binary.
So I'm rolling my eyes and experiencing a decent amount of schadenfreude right now. Just saying.
Re: (Score:2)
Wait for it (Score:5, Informative)
This will eventually happen to Microsoft Recall ... on a much grander scale.
Re: (Score:2)
This will eventually happen to Microsoft Recall ... on a much grander scale.
Maybe even a Total Recall, but *much* less enjoyable/entertaining -- I'm guessing anyway. :-)
Re: Wait for it (Score:2)
For many people it will be wildly entertaining... I'm starting to fill my popcorn stash expecting the grand show.
Re: Wait for it (Score:2)
Until some data exfiltration malware helpfully does it.
Re: Wait for it (Score:2)
P.S. Few files on my boss' computer can be more embarrassing than eventual screenshots of the porn he watches.
Imagine my shock! (Score:2)
In this instance the only way to see my 'shocked face' is to imagine it, because I'm not even surprised, never mind shocked. In fact, the phrase "I told ya so" comes to mind.
Public AWS bucket? (Score:2)
I am going to have to ask... making an AWS bucket public takes deliberate doing. You have to set a flag on the entire tenant to allow it, and then explicitly set it public. This never happens on accident.
Now, the employee monitoring stuff. Since it has screenshots and such of all data, its data classification winds up having to be at the highest level that a company has. This means encryption, compartmentalization, even physical checks of where the data is stored. All audited. It seems these bossware